Peter Gutmann wrote: > Nelson B <[EMAIL PROTECTED]> writes: > >>As reported in >>http://www.informationweek.com/shared/printableArticle.jhtml?articleID=171200010 >>phishers are now using self-signed certs on their phony web sites, to make >>the lock icons appear for their web sites, to give the victims a false sense >>of security. > >>Of course, the victims must first dismiss a large warnign dialog about >>the cert coming from an unknown issuer. But according to the article, >>many users dismiss that dialog without any understanding of what it means. > > No-one's ever done a rigorous study of this, but there is plenty of anecdotal > evidence (e.g. the site that had a large red cross and "Invalid Certificate" > on it that users had to click past before making multi-thousand-dollar > payments, the bank site with an invalid cert that didn't stop 299 of 300 > users, etc etc) that cert warnings are almost completely ineffective in > stopping users from going to a web page that they want to visit. That's why > the best strategy for this is to treat a cert validation failure in the same > way as a network error: Users know how to handle this, and it puts pressure on > site admins to get things right.
Peter, Please spell out for us exactly what you mean by > "treat a cert validation failure in the same way as a network error" Do you mean to treat it as unrecoveragle error, with no option to override? or ?? Thanks for your feedback. -- Nelson B _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
